Note: This is an archival copy of Security Sun Alert 200851 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000642.1.
Article ID : 1000642.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-10-28
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the Solaris 10 Internet Protocol (ip(7P)) may Lead to a Denial of Service (DoS) Condition



Category
Security

Release Phase
Resolved

Product
Solaris 10 Operating System

Bug Id
6577595

Date of Resolved Release
29-OCT-2007

Impact

A security vulnerability in the Solaris 10 Internet Protocol (ip(7P)) may allow a local unprivileged user the ability to cause a system panic, thereby causing a Denial of Service (DoS) to the system as a whole.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 with patch 118833-04 or later and without patch 127111-02

x86 Platform

  • Solaris 10 with patch 118855-03 or later and without patch 127112-02

Note: Solaris 8 and Solaris 9 are not impacted by this issue.


Symptoms

If the described issue occurs, the system will panic with a stack trace similar to the following:

    panic[cpu3]/thread=300027ab340:
    BAD TRAP: type=34 rp=2a1011a6f90 addr=139 mmu_fsr=0
    ip_wput_ire+0x1bc0(600040f35a8, 60004042a18, 0, 10000, 0, 0)
    ip_output+0x964(0, 60004042b88, 0, 0, 0, 60009b42470)
    udp_output_v4+0x5c4(60009afaac0, 0, d0000, 6000499b650, 600040f35a8, 2a1011a769c)
    udp_output+0x448(60009afaac0, 6000498b300, 60004903358, 300002a2680, 20104022, 10)
    udp_wput_data+0xd8(60009afaac0, 6000498b300, 60004903358, 0, 0, 0)
    sodgram_direct+0xbc(6000a343ca0, 60004903358, 10, 2a1011a7aa0, 6000498b300, 0)
    sotpi_sendmsg+0x454(6000a343ca0, 2a1011a7a70, 2a1011a7aa0, 0, 1200020, 0)
    sendit+0x134(3, 2a1011a7a70, 2a1011a7aa0, 60004903358, 6000a343ca0, 0)
    sendto+0x64(3, 21208, 5, 0, ffbffa24, 10)
    syscall_trap32+0xcc(3, 21208, 5, 0, ffbffa24, 10)

 


Workaround

There is no workaround. Please see the "Resolution" section below.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 127111-02 or later

x86 Platform

  • Solaris 10 with patch 127112-02 or later


References

127112-02
127111-02




Attachments
This solution has no attachment